MyDevSecOps ©2019 POWERED BY SNYK

The MyDevSecOps community is powered by Snyk Ltd. Our aim is to create a vendor-neutral space to share knowledge and best practices related to software security.

avatar-transparent.png

The perils of configuration security

With the growth of cloud and API-driven infrastructure, came infrastructure as code. This movement shifted the management of configuration from a mainly hidden part of IT, to a larger and more explicit part of software development. If you’re not writing YAML files you’re probably writing tools to write YAML files.


But an incorrectly configured application can have an outsized impact on the common security challenges of confidentiality, integrity and availability.


In this discussion we’ll look at:

  • Examples of real-world hacks related to configuration issues

  • The problems found in projects like Kubernetes that have a large configuration surface area

  • What it looks like to apply application security approaches to infrastructure as code

  • Demos of tools that are emerging to help test configuration


This session should be of interest to developers and operators struggling with the explosion of configuration as well as security analysts interested in the higher level emerging problem of configuration security.


Resources mentioned in this session:

Coming soon


Gareth Rushgrove

Gareth Rushgrove is a Director of Product at Snyk, working remotely from Cambridge, UK, helping to build interesting tools for people to better secure infrastructure and applications. He has previously worked for the UK Government Digital Service focused on infrastructure, operations and information security, as well as at Puppet and Docker. When not working he can be found curating the Devops Weekly newsletter, hiking or reading a good book.


Find Gareth on twitter

  • White Twitter Icon
  • White YouTube Icon